HBE-326 feature: server configuration through GraphQL API (#3591)

* feat: restart cmd added in aio service

* feat: nestjs config package added

* test: fix all broken test case

* feat: infra config module add with get-update-reset functionality

* test: fix test case failure

* feat: update infra configs mutation added

* feat: utilise ConfigService in util functions

* chore: remove saml stuff

* feat: removed saml stuffs

* fix: config service precedence

* fix: mailer module init with right env value

* feat: added mutations and query

* feat: add query infra-configs

* fix: mailer module init issue

* chore: smtp url validation added

* fix: all sso disabling is handled

* fix: pnpm i without db connection

* fix: allowedAuthProviders and enableAndDisableSSO

* fix: validateSMTPUrl check

* feat: get api added for fetch provider list

* feat: feedback resolve

* chore: update code comments

* fix: uppercase issue of VITE_ALLOWED_AUTH_PROVIDERS

* chore: update lockfile

* fix: add validation checks for MAILER_ADDRESS_FROM

* test: fix test case

* chore: feedback resolve

* chore: renamed an enum

* chore: app shutdown way changed

---------

Co-authored-by: Andrew Bastin <andrewbastin.k@gmail.com>

packages/hoppscotch-backend/src/auth/auth.controller.ts

@@ -2,7 +2,6 @@ import {
   Body,
   Controller,
   Get,
-  InternalServerErrorException,
   Post,
   Query,
   Request,
@@ -31,11 +30,21 @@ import { MicrosoftSSOGuard } from './guards/microsoft-sso-.guard';
 import { ThrottlerBehindProxyGuard } from 'src/guards/throttler-behind-proxy.guard';
 import { SkipThrottle } from '@nestjs/throttler';
 import { AUTH_PROVIDER_NOT_SPECIFIED } from 'src/errors';
+import { ConfigService } from '@nestjs/config';
 
 @UseGuards(ThrottlerBehindProxyGuard)
 @Controller({ path: 'auth', version: '1' })
 export class AuthController {
-  constructor(private authService: AuthService) {}
+  constructor(
+    private authService: AuthService,
+    private configService: ConfigService,
+  ) {}
+
+  @Get('providers')
+  async getAuthProviders() {
+    const providers = await this.authService.getAuthProviders();
+    return { providers };
+  }
 
   /**
    ** Route to initiate magic-link auth for a users email
@@ -45,8 +54,14 @@ export class AuthController {
     @Body() authData: SignInMagicDto,
     @Query('origin') origin: string,
   ) {
-    if (!authProviderCheck(AuthProvider.EMAIL))
+    if (
+      !authProviderCheck(
+        AuthProvider.EMAIL,
+        this.configService.get('INFRA.VITE_ALLOWED_AUTH_PROVIDERS'),
+      )
+    ) {
       throwHTTPErr({ message: AUTH_PROVIDER_NOT_SPECIFIED, statusCode: 404 });
+    }
 
     const deviceIdToken = await this.authService.signInMagicLink(
       authData.email,

packages/hoppscotch-backend/src/auth/auth.module.ts

@@ -2,7 +2,6 @@ import { Module } from '@nestjs/common';
 import { AuthService } from './auth.service';
 import { AuthController } from './auth.controller';
 import { UserModule } from 'src/user/user.module';
-import { MailerModule } from 'src/mailer/mailer.module';
 import { PrismaModule } from 'src/prisma/prisma.module';
 import { PassportModule } from '@nestjs/passport';
 import { JwtModule } from '@nestjs/jwt';
@@ -12,25 +11,47 @@ import { GoogleStrategy } from './strategies/google.strategy';
 import { GithubStrategy } from './strategies/github.strategy';
 import { MicrosoftStrategy } from './strategies/microsoft.strategy';
 import { AuthProvider, authProviderCheck } from './helper';
+import { ConfigModule, ConfigService } from '@nestjs/config';
+import { loadInfraConfiguration } from 'src/infra-config/helper';
+import { InfraConfigModule } from 'src/infra-config/infra-config.module';
 
 @Module({
   imports: [
     PrismaModule,
     UserModule,
-    MailerModule,
     PassportModule,
-    JwtModule.register({
-      secret: process.env.JWT_SECRET,
+    JwtModule.registerAsync({
+      imports: [ConfigModule],
+      inject: [ConfigService],
+      useFactory: async (configService: ConfigService) => ({
+        secret: configService.get('JWT_SECRET'),
+      }),
     }),
+    InfraConfigModule,
   ],
-  providers: [
-    AuthService,
-    JwtStrategy,
-    RTJwtStrategy,
-    ...(authProviderCheck(AuthProvider.GOOGLE) ? [GoogleStrategy] : []),
-    ...(authProviderCheck(AuthProvider.GITHUB) ? [GithubStrategy] : []),
-    ...(authProviderCheck(AuthProvider.MICROSOFT) ? [MicrosoftStrategy] : []),
-  ],
+  providers: [AuthService, JwtStrategy, RTJwtStrategy],
   controllers: [AuthController],
 })
-export class AuthModule {}
+export class AuthModule {
+  static async register() {
+    const env = await loadInfraConfiguration();
+    const allowedAuthProviders = env.INFRA.VITE_ALLOWED_AUTH_PROVIDERS;
+
+    const providers = [
+      ...(authProviderCheck(AuthProvider.GOOGLE, allowedAuthProviders)
+        ? [GoogleStrategy]
+        : []),
+      ...(authProviderCheck(AuthProvider.GITHUB, allowedAuthProviders)
+        ? [GithubStrategy]
+        : []),
+      ...(authProviderCheck(AuthProvider.MICROSOFT, allowedAuthProviders)
+        ? [MicrosoftStrategy]
+        : []),
+    ];
+
+    return {
+      module: AuthModule,
+      providers,
+    };
+  }
+}

packages/hoppscotch-backend/src/auth/auth.service.spec.ts

@@ -21,15 +21,26 @@ import { VerifyMagicDto } from './dto/verify-magic.dto';
 import { DateTime } from 'luxon';
 import * as argon2 from 'argon2';
 import * as E from 'fp-ts/Either';
+import { ConfigService } from '@nestjs/config';
+import { InfraConfigService } from 'src/infra-config/infra-config.service';
 
 const mockPrisma = mockDeep<PrismaService>();
 const mockUser = mockDeep<UserService>();
 const mockJWT = mockDeep<JwtService>();
 const mockMailer = mockDeep<MailerService>();
+const mockConfigService = mockDeep<ConfigService>();
+const mockInfraConfigService = mockDeep<InfraConfigService>();
 
 // eslint-disable-next-line @typescript-eslint/ban-ts-comment
 // @ts-ignore
-const authService = new AuthService(mockUser, mockPrisma, mockJWT, mockMailer);
+const authService = new AuthService(
+  mockUser,
+  mockPrisma,
+  mockJWT,
+  mockMailer,
+  mockConfigService,
+  mockInfraConfigService,
+);
 
 const currentTime = new Date();
 
@@ -91,6 +102,8 @@ describe('signInMagicLink', () => {
     mockUser.createUserViaMagicLink.mockResolvedValue(user);
     // create new entry in VerificationToken table
     mockPrisma.verificationToken.create.mockResolvedValueOnce(passwordlessData);
+    // Read env variable 'MAGIC_LINK_TOKEN_VALIDITY' from config service
+    mockConfigService.get.mockReturnValue('3');
 
     const result = await authService.signInMagicLink(
       'dwight@dundermifflin.com',

packages/hoppscotch-backend/src/auth/auth.service.ts

@@ -28,6 +28,8 @@ import { AuthError } from 'src/types/AuthError';
 import { AuthUser, IsAdmin } from 'src/types/AuthUser';
 import { VerificationToken } from '@prisma/client';
 import { Origin } from './helper';
+import { ConfigService } from '@nestjs/config';
+import { InfraConfigService } from 'src/infra-config/infra-config.service';
 
 @Injectable()
 export class AuthService {
@@ -36,6 +38,8 @@ export class AuthService {
     private prismaService: PrismaService,
     private jwtService: JwtService,
     private readonly mailerService: MailerService,
+    private readonly configService: ConfigService,
+    private infraConfigService: InfraConfigService,
   ) {}
 
   /**
@@ -46,10 +50,12 @@ export class AuthService {
    */
   private async generateMagicLinkTokens(user: AuthUser) {
     const salt = await bcrypt.genSalt(
-      parseInt(process.env.TOKEN_SALT_COMPLEXITY),
+      parseInt(this.configService.get('TOKEN_SALT_COMPLEXITY')),
     );
     const expiresOn = DateTime.now()
-      .plus({ hours: parseInt(process.env.MAGIC_LINK_TOKEN_VALIDITY) })
+      .plus({
+        hours: parseInt(this.configService.get('MAGIC_LINK_TOKEN_VALIDITY')),
+      })
       .toISO()
       .toString();
 
@@ -95,13 +101,13 @@ export class AuthService {
    */
   private async generateRefreshToken(userUid: string) {
     const refreshTokenPayload: RefreshTokenPayload = {
-      iss: process.env.VITE_BASE_URL,
+      iss: this.configService.get('VITE_BASE_URL'),
       sub: userUid,
-      aud: [process.env.VITE_BASE_URL],
+      aud: [this.configService.get('VITE_BASE_URL')],
     };
 
     const refreshToken = await this.jwtService.sign(refreshTokenPayload, {
-      expiresIn: process.env.REFRESH_TOKEN_VALIDITY, //7 Days
+      expiresIn: this.configService.get('REFRESH_TOKEN_VALIDITY'), //7 Days
     });
 
     const refreshTokenHash = await argon2.hash(refreshToken);
@@ -127,9 +133,9 @@ export class AuthService {
    */
   async generateAuthTokens(userUid: string) {
     const accessTokenPayload: AccessTokenPayload = {
-      iss: process.env.VITE_BASE_URL,
+      iss: this.configService.get('VITE_BASE_URL'),
       sub: userUid,
-      aud: [process.env.VITE_BASE_URL],
+      aud: [this.configService.get('VITE_BASE_URL')],
     };
 
     const refreshToken = await this.generateRefreshToken(userUid);
@@ -137,7 +143,7 @@ export class AuthService {
 
     return E.right(<AuthTokens>{
       access_token: await this.jwtService.sign(accessTokenPayload, {
-        expiresIn: process.env.ACCESS_TOKEN_VALIDITY, //1 Day
+        expiresIn: this.configService.get('ACCESS_TOKEN_VALIDITY'), //1 Day
       }),
       refresh_token: refreshToken.right,
     });
@@ -218,14 +224,14 @@ export class AuthService {
     let url: string;
     switch (origin) {
       case Origin.ADMIN:
-        url = process.env.VITE_ADMIN_URL;
+        url = this.configService.get('VITE_ADMIN_URL');
         break;
       case Origin.APP:
-        url = process.env.VITE_BASE_URL;
+        url = this.configService.get('VITE_BASE_URL');
         break;
       default:
         // if origin is invalid by default set URL to Hoppscotch-App
-        url = process.env.VITE_BASE_URL;
+        url = this.configService.get('VITE_BASE_URL');
     }
 
     await this.mailerService.sendEmail(email, {
@@ -377,4 +383,8 @@ export class AuthService {
 
     return E.right(<IsAdmin>{ isAdmin: false });
   }
+
+  getAuthProviders() {
+    return this.infraConfigService.getAllowedAuthProviders();
+  }
 }

packages/hoppscotch-backend/src/auth/guards/github-sso.guard.ts

@@ -3,14 +3,25 @@ import { AuthGuard } from '@nestjs/passport';
 import { AuthProvider, authProviderCheck, throwHTTPErr } from '../helper';
 import { Observable } from 'rxjs';
 import { AUTH_PROVIDER_NOT_SPECIFIED } from 'src/errors';
+import { ConfigService } from '@nestjs/config';
 
 @Injectable()
 export class GithubSSOGuard extends AuthGuard('github') implements CanActivate {
+  constructor(private readonly configService: ConfigService) {
+    super();
+  }
+
   canActivate(
     context: ExecutionContext,
   ): boolean | Promise<boolean> | Observable<boolean> {
-    if (!authProviderCheck(AuthProvider.GITHUB))
+    if (
+      !authProviderCheck(
+        AuthProvider.GITHUB,
+        this.configService.get('INFRA.VITE_ALLOWED_AUTH_PROVIDERS'),
+      )
+    ) {
       throwHTTPErr({ message: AUTH_PROVIDER_NOT_SPECIFIED, statusCode: 404 });
+    }
 
     return super.canActivate(context);
   }

packages/hoppscotch-backend/src/auth/guards/google-sso.guard.ts

@@ -3,14 +3,25 @@ import { AuthGuard } from '@nestjs/passport';
 import { AuthProvider, authProviderCheck, throwHTTPErr } from '../helper';
 import { Observable } from 'rxjs';
 import { AUTH_PROVIDER_NOT_SPECIFIED } from 'src/errors';
+import { ConfigService } from '@nestjs/config';
 
 @Injectable()
 export class GoogleSSOGuard extends AuthGuard('google') implements CanActivate {
+  constructor(private readonly configService: ConfigService) {
+    super();
+  }
+
   canActivate(
     context: ExecutionContext,
   ): boolean | Promise<boolean> | Observable<boolean> {
-    if (!authProviderCheck(AuthProvider.GOOGLE))
+    if (
+      !authProviderCheck(
+        AuthProvider.GOOGLE,
+        this.configService.get('INFRA.VITE_ALLOWED_AUTH_PROVIDERS'),
+      )
+    ) {
       throwHTTPErr({ message: AUTH_PROVIDER_NOT_SPECIFIED, statusCode: 404 });
+    }
 
     return super.canActivate(context);
   }

packages/hoppscotch-backend/src/auth/guards/microsoft-sso-.guard.ts

@@ -3,20 +3,31 @@ import { AuthGuard } from '@nestjs/passport';
 import { AuthProvider, authProviderCheck, throwHTTPErr } from '../helper';
 import { Observable } from 'rxjs';
 import { AUTH_PROVIDER_NOT_SPECIFIED } from 'src/errors';
+import { ConfigService } from '@nestjs/config';
 
 @Injectable()
 export class MicrosoftSSOGuard
   extends AuthGuard('microsoft')
   implements CanActivate
 {
+  constructor(private readonly configService: ConfigService) {
+    super();
+  }
+
   canActivate(
     context: ExecutionContext,
   ): boolean | Promise<boolean> | Observable<boolean> {
-    if (!authProviderCheck(AuthProvider.MICROSOFT))
+    if (
+      !authProviderCheck(
+        AuthProvider.MICROSOFT,
+        this.configService.get('INFRA.VITE_ALLOWED_AUTH_PROVIDERS'),
+      )
+    ) {
       throwHTTPErr({
         message: AUTH_PROVIDER_NOT_SPECIFIED,
         statusCode: 404,
       });
+    }
 
     return super.canActivate(context);
   }

packages/hoppscotch-backend/src/auth/helper.ts

@@ -6,6 +6,7 @@ import { Response } from 'express';
 import * as cookie from 'cookie';
 import { AUTH_PROVIDER_NOT_SPECIFIED, COOKIES_NOT_FOUND } from 'src/errors';
 import { throwErr } from 'src/utils';
+import { ConfigService } from '@nestjs/config';
 
 enum AuthTokenType {
   ACCESS_TOKEN = 'access_token',
@@ -45,15 +46,17 @@ export const authCookieHandler = (
   redirect: boolean,
   redirectUrl: string | null,
 ) => {
+  const configService = new ConfigService();
+
   const currentTime = DateTime.now();
   const accessTokenValidity = currentTime
     .plus({
-      milliseconds: parseInt(process.env.ACCESS_TOKEN_VALIDITY),
+      milliseconds: parseInt(configService.get('ACCESS_TOKEN_VALIDITY')),
     })
     .toMillis();
   const refreshTokenValidity = currentTime
     .plus({
-      milliseconds: parseInt(process.env.REFRESH_TOKEN_VALIDITY),
+      milliseconds: parseInt(configService.get('REFRESH_TOKEN_VALIDITY')),
     })
     .toMillis();
 
@@ -75,10 +78,12 @@ export const authCookieHandler = (
   }
 
   // check to see if redirectUrl is a whitelisted url
-  const whitelistedOrigins = process.env.WHITELISTED_ORIGINS.split(',');
+  const whitelistedOrigins = configService
+    .get('WHITELISTED_ORIGINS')
+    .split(',');
   if (!whitelistedOrigins.includes(redirectUrl))
     // if it is not redirect by default to REDIRECT_URL
-    redirectUrl = process.env.REDIRECT_URL;
+    redirectUrl = configService.get('REDIRECT_URL');
 
   return res.status(HttpStatus.OK).redirect(redirectUrl);
 };
@@ -112,13 +117,16 @@ export const subscriptionContextCookieParser = (rawCookies: string) => {
  * @param provider Provider we want to check the presence of
  * @returns Boolean if provider specified is present or not
  */
-export function authProviderCheck(provider: string) {
+export function authProviderCheck(
+  provider: string,
+  VITE_ALLOWED_AUTH_PROVIDERS: string,
+) {
   if (!provider) {
     throwErr(AUTH_PROVIDER_NOT_SPECIFIED);
   }
 
-  const envVariables = process.env.VITE_ALLOWED_AUTH_PROVIDERS
-    ? process.env.VITE_ALLOWED_AUTH_PROVIDERS.split(',').map((provider) =>
+  const envVariables = VITE_ALLOWED_AUTH_PROVIDERS
+    ? VITE_ALLOWED_AUTH_PROVIDERS.split(',').map((provider) =>
         provider.trim().toUpperCase(),
       )
     : [];

packages/hoppscotch-backend/src/auth/strategies/github.strategy.ts

@@ -5,18 +5,20 @@ import { AuthService } from '../auth.service';
 import { UserService } from 'src/user/user.service';
 import * as O from 'fp-ts/Option';
 import * as E from 'fp-ts/Either';
+import { ConfigService } from '@nestjs/config';
 
 @Injectable()
 export class GithubStrategy extends PassportStrategy(Strategy) {
   constructor(
     private authService: AuthService,
     private usersService: UserService,
+    private configService: ConfigService,
   ) {
     super({
-      clientID: process.env.GITHUB_CLIENT_ID,
-      clientSecret: process.env.GITHUB_CLIENT_SECRET,
-      callbackURL: process.env.GITHUB_CALLBACK_URL,
-      scope: [process.env.GITHUB_SCOPE],
+      clientID: configService.get('INFRA.GITHUB_CLIENT_ID'),
+      clientSecret: configService.get('INFRA.GITHUB_CLIENT_SECRET'),
+      callbackURL: configService.get('GITHUB_CALLBACK_URL'),
+      scope: [configService.get('GITHUB_SCOPE')],
       store: true,
     });
   }

packages/hoppscotch-backend/src/auth/strategies/google.strategy.ts

@@ -5,18 +5,20 @@ import { UserService } from 'src/user/user.service';
 import * as O from 'fp-ts/Option';
 import { AuthService } from '../auth.service';
 import * as E from 'fp-ts/Either';
+import { ConfigService } from '@nestjs/config';
 
 @Injectable()
 export class GoogleStrategy extends PassportStrategy(Strategy) {
   constructor(
     private usersService: UserService,
     private authService: AuthService,
+    private configService: ConfigService,
   ) {
     super({
-      clientID: process.env.GOOGLE_CLIENT_ID,
-      clientSecret: process.env.GOOGLE_CLIENT_SECRET,
-      callbackURL: process.env.GOOGLE_CALLBACK_URL,
-      scope: process.env.GOOGLE_SCOPE.split(','),
+      clientID: configService.get('INFRA.GOOGLE_CLIENT_ID'),
+      clientSecret: configService.get('INFRA.GOOGLE_CLIENT_SECRET'),
+      callbackURL: configService.get('GOOGLE_CALLBACK_URL'),
+      scope: configService.get('GOOGLE_SCOPE').split(','),
       passReqToCallback: true,
       store: true,
     });

packages/hoppscotch-backend/src/auth/strategies/jwt.strategy.ts

@@ -15,10 +15,14 @@ import {
   INVALID_ACCESS_TOKEN,
   USER_NOT_FOUND,
 } from 'src/errors';
+import { ConfigService } from '@nestjs/config';
 
 @Injectable()
 export class JwtStrategy extends PassportStrategy(Strategy, 'jwt') {
-  constructor(private usersService: UserService) {
+  constructor(
+    private usersService: UserService,
+    private configService: ConfigService,
+  ) {
     super({
       jwtFromRequest: ExtractJwt.fromExtractors([
         (request: Request) => {
@@ -29,7 +33,7 @@ export class JwtStrategy extends PassportStrategy(Strategy, 'jwt') {
           return ATCookie;
         },
       ]),
-      secretOrKey: process.env.JWT_SECRET,
+      secretOrKey: configService.get('JWT_SECRET'),
     });
   }
 

packages/hoppscotch-backend/src/auth/strategies/microsoft.strategy.ts

@@ -5,19 +5,21 @@ import { AuthService } from '../auth.service';
 import { UserService } from 'src/user/user.service';
 import * as O from 'fp-ts/Option';
 import * as E from 'fp-ts/Either';
+import { ConfigService } from '@nestjs/config';
 
 @Injectable()
 export class MicrosoftStrategy extends PassportStrategy(Strategy) {
   constructor(
     private authService: AuthService,
     private usersService: UserService,
+    private configService: ConfigService,
   ) {
     super({
-      clientID: process.env.MICROSOFT_CLIENT_ID,
-      clientSecret: process.env.MICROSOFT_CLIENT_SECRET,
-      callbackURL: process.env.MICROSOFT_CALLBACK_URL,
-      scope: [process.env.MICROSOFT_SCOPE],
-      tenant: process.env.MICROSOFT_TENANT,
+      clientID: configService.get('INFRA.MICROSOFT_CLIENT_ID'),
+      clientSecret: configService.get('INFRA.MICROSOFT_CLIENT_SECRET'),
+      callbackURL: configService.get('MICROSOFT_CALLBACK_URL'),
+      scope: [configService.get('MICROSOFT_SCOPE')],
+      tenant: configService.get('MICROSOFT_TENANT'),
       store: true,
     });
   }

packages/hoppscotch-backend/src/auth/strategies/rt-jwt.strategy.ts

@@ -14,10 +14,14 @@ import {
   USER_NOT_FOUND,
 } from 'src/errors';
 import * as O from 'fp-ts/Option';
+import { ConfigService } from '@nestjs/config';
 
 @Injectable()
 export class RTJwtStrategy extends PassportStrategy(Strategy, 'jwt-refresh') {
-  constructor(private usersService: UserService) {
+  constructor(
+    private usersService: UserService,
+    private configService: ConfigService,
+  ) {
     super({
       jwtFromRequest: ExtractJwt.fromExtractors([
         (request: Request) => {
@@ -28,7 +32,7 @@ export class RTJwtStrategy extends PassportStrategy(Strategy, 'jwt-refresh') {
           return RTCookie;
         },
       ]),
-      secretOrKey: process.env.JWT_SECRET,
+      secretOrKey: configService.get('JWT_SECRET'),
     });
   }